Stored Cross-Site Scripting Vulnerability in Custom Twitter Feeds Plugin for WordPress
CVE-2026-6177

7.2HIGH

Key Information:

Vendor: WordPress
Status: Custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-6177?

The Custom Twitter Feeds plugin for WordPress is affected by a vulnerability that allows for Stored Cross-Site Scripting due to inadequate output escaping in the function responsible for rendering cached tweet text. When cached tweet data is accessed via an unauthenticated AJAX action, malicious HTML or JavaScript can execute, posing a significant risk to site users. Attackers can exploit this by introducing harmful content, which gets executed when unwitting visitors access the affected endpoint.

Affected Version(s)

Custom Twitter Feeds – A Tweets Widget or X Feed Widget 0 <= 2.5.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/custom-twitter...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

gidget smith

CVE-2026-6177 Data

JSON